You can secure your federation relationships in numerous ways. The methods available are defined within federation protocols themselves. The method you want to use must be agreed upon by both members of a federation relationship. Specifically, this agreement is required between the identity provider (most often Access Manager’s role) and the service provider (for example, a SaaS service).
The most commonly used means of security includes using HTTPS for communication between parties secured by well-known CA certificates. For information about how to enable HTTPS in Access Manager Identity Server, see Enabling SSL between Identity Server and a Service Provider.
Another way for SAML is the signing and/or encryption of assertions. For more information, see Configuring the Encryption Method for the SAML Assertion. SAML also has options for communicating the assertion data between parties known as protocol bindings. Protocol bindings include Post and Artifact. The Post binding is currently simplest and most popular among SaaS vendors and is typically secured using HTTPS, assertion signing, and encryption. The Artifact binding is considered more secure, but its level of security is not always required for a federation relationship.
Post method versus exchange artifacts: When you set up a federation between an identity provider and a service provider, you can select either to exchange assertions with a post method or to exchange artifacts.
An assertion in a post method might contain the user’s password or other sensitive data, which can make it less secure than an artifact when the assertion is sent to the browser.
An artifact is a randomly generated ID, it contains no sensitive data. Only the intended receiver can use it to retrieve assertion data.
If both providers support artifacts, you should select this method because it is more secure. For more details, see the Response protocol binding option in Configuring a SAML 2.0 Authentication Request
and Configuring a SAML 2.0 Authentication Response
in the NetIQ Access Manager Appliance 5.0 Administration Guide.
NOTE:To use exchange artifact, the service provider needs to establish a direct communication channel with the identity provider.
Additional SAML protocol options might also need to be configured and matched between the identity provider and service provider. Common options are covered later in this section.